tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

libfc: extend ex_lock to protect all of fc_seq_send

This warning was reported recently:

WARNING: at drivers/scsi/libfc/fc_exch.c:478 fc_seq_send+0x14f/0x160 [libfc]()
(Not tainted)
Hardware name: ProLiant DL120 G7
Modules linked in: tcm_fc target_core_iblock target_core_file target_core_pscsi
target_core_mod configfs dm_round_robin dm_multipath 8021q garp stp llc bnx2fc
cnic uio fcoe libfcoe libfc scsi_transport_fc scsi_tgt autofs4 sunrpc
pcc_cpufreq ipv6 hpilo hpwdt e1000e microcode iTCO_wdt iTCO_vendor_support
serio_raw shpchp ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif pata_acpi
ata_generic ata_piix hpsa dm_mirror dm_region_hash dm_log dm_mod [last unloaded:
scsi_wait_scan]
Pid: 5464, comm: target_completi Not tainted 2.6.32-272.el6.x86_64 #1
Call Trace:
[<ffffffff8106b747>] ? warn_slowpath_common+0x87/0xc0
[<ffffffff8106b79a>] ? warn_slowpath_null+0x1a/0x20
[<ffffffffa025f7df>] ? fc_seq_send+0x14f/0x160 [libfc]
[<ffffffffa035cbce>] ? ft_queue_status+0x16e/0x210 [tcm_fc]
[<ffffffffa030a660>] ? target_complete_ok_work+0x0/0x4b0 [target_core_mod]
[<ffffffffa030a766>] ? target_complete_ok_work+0x106/0x4b0 [target_core_mod]
[<ffffffffa030a660>] ? target_complete_ok_work+0x0/0x4b0 [target_core_mod]
[<ffffffff8108c760>] ? worker_thread+0x170/0x2a0
[<ffffffff810920d0>] ? autoremove_wake_function+0x0/0x40
[<ffffffff8108c5f0>] ? worker_thread+0x0/0x2a0
[<ffffffff81091d66>] ? kthread+0x96/0xa0
[<ffffffff8100c14a>] ? child_rip+0xa/0x20
[<ffffffff81091cd0>] ? kthread+0x0/0xa0
[<ffffffff8100c140>] ? child_rip+0x0/0x20

It occurs because fc_seq_send can have multiple contexts executing within it at
the same time, and fc_seq_send doesn't consistently use the ep->ex_lock that
protects this structure. Because of that, its possible for one context to clear
the INIT bit in the ep->esb_state field while another checks it, leading to the
above stack trace generated by the WARN_ON in the function.

We should probably undertake the effort to convert access to the fc_exch
structures to use rcu, but that a larger work item. To just fix this specific
issue, we can just extend the ex_lock protection through the entire fc_seq_send
path

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Gris Ge <fge@redhat.com>
CC: Robert Love <robert.w.love@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>

authored by Neil Horman and committed by Robert Love fb00cc23 732bdb9d

options
unified split
Changed files
+24 -13
drivers
scsi
libfc
fc_exch.c
+24 -13
drivers/scsi/libfc/fc_exch.c
··· 463 463 fc_exch_release(ep); /* drop hold for exch in mp */ 464 464 } 465 465 466 - /** 467 - * fc_seq_send() - Send a frame using existing sequence/exchange pair 468 - * @lport: The local port that the exchange will be sent on 469 - * @sp: The sequence to be sent 470 - * @fp: The frame to be sent on the exchange 471 - */ 472 - static int fc_seq_send(struct fc_lport *lport, struct fc_seq *sp, 466 + static int fc_seq_send_locked(struct fc_lport *lport, struct fc_seq *sp, 473 467 struct fc_frame *fp) 474 468 { 475 469 struct fc_exch *ep; ··· 473 479 u8 fh_type = fh->fh_type; 474 480 475 481 ep = fc_seq_exch(sp); 476 - WARN_ON((ep->esb_stat & ESB_ST_SEQ_INIT) != ESB_ST_SEQ_INIT); 482 + WARN_ON(!(ep->esb_stat & ESB_ST_SEQ_INIT)); 477 483 478 484 f_ctl = ntoh24(fh->fh_f_ctl); 479 485 fc_exch_setup_hdr(ep, fp, f_ctl); ··· 496 502 error = lport->tt.frame_send(lport, fp); 497 503 498 504 if (fh_type == FC_TYPE_BLS) 499 - return error; 505 + goto out; 500 506 501 507 /* 502 508 * Update the exchange and sequence flags, 503 509 * assuming all frames for the sequence have been sent. 504 510 * We can only be called to send once for each sequence. 505 511 */ 506 - spin_lock_bh(&ep->ex_lock); 507 512 ep->f_ctl = f_ctl & ~FC_FC_FIRST_SEQ; /* not first seq */ 508 513 if (f_ctl & FC_FC_SEQ_INIT) 509 514 ep->esb_stat &= ~ESB_ST_SEQ_INIT; 515 + out: 516 + return error; 517 + } 518 + 519 + /** 520 + * fc_seq_send() - Send a frame using existing sequence/exchange pair 521 + * @lport: The local port that the exchange will be sent on 522 + * @sp: The sequence to be sent 523 + * @fp: The frame to be sent on the exchange 524 + */ 525 + static int fc_seq_send(struct fc_lport *lport, struct fc_seq *sp, 526 + struct fc_frame *fp) 527 + { 528 + struct fc_exch *ep; 529 + int error; 530 + ep = fc_seq_exch(sp); 531 + spin_lock_bh(&ep->ex_lock); 532 + error = fc_seq_send_locked(lport, sp, fp); 510 533 spin_unlock_bh(&ep->ex_lock); 511 534 return error; 512 535 } ··· 640 629 if (fp) { 641 630 fc_fill_fc_hdr(fp, FC_RCTL_BA_ABTS, ep->did, ep->sid, 642 631 FC_TYPE_BLS, FC_FC_END_SEQ | FC_FC_SEQ_INIT, 0); 643 - error = fc_seq_send(ep->lp, sp, fp); 632 + error = fc_seq_send_locked(ep->lp, sp, fp); 644 633 } else 645 634 error = -ENOBUFS; 646 635 return error; ··· 1143 1132 f_ctl = FC_FC_LAST_SEQ | FC_FC_END_SEQ | FC_FC_SEQ_INIT; 1144 1133 f_ctl |= ep->f_ctl; 1145 1134 fc_fill_fc_hdr(fp, rctl, ep->did, ep->sid, fh_type, f_ctl, 0); 1146 - fc_seq_send(ep->lp, sp, fp); 1135 + fc_seq_send_locked(ep->lp, sp, fp); 1147 1136 } 1148 1137 1149 1138 /** ··· 1318 1307 ap->ba_low_seq_cnt = htons(sp->cnt); 1319 1308 } 1320 1309 sp = fc_seq_start_next_locked(sp); 1321 - spin_unlock_bh(&ep->ex_lock); 1322 1310 fc_seq_send_last(sp, fp, FC_RCTL_BA_ACC, FC_TYPE_BLS); 1311 + spin_unlock_bh(&ep->ex_lock); 1323 1312 fc_frame_free(rx_fp); 1324 1313 return; 1325 1314